strapi/packages/core/admin/server/strategies/api-token.js

'use strict';

const { castArray, isNil } = require('lodash/fp');
const { differenceInHours, parseISO } = require('date-fns');
const { UnauthorizedError, ForbiddenError } = require('@strapi/utils').errors;
const constants = require('../services/constants');
const { getService } = require('../utils');

const isReadScope = (scope) => scope.endsWith('find') || scope.endsWith('findOne');

const extractToken = (ctx) => {
  if (ctx.request && ctx.request.header && ctx.request.header.authorization) {
    const parts = ctx.request.header.authorization.split(/\s+/);

    if (parts[0].toLowerCase() !== 'bearer' || parts.length !== 2) {
      return null;
    }

    return parts[1];
  }

  return null;
};

/**
 * Authenticate the validity of the token
 *
 *  @type {import('.').AuthenticateFunction}
 */
const authenticate = async (ctx) => {
  const apiTokenService = getService('api-token');
  const token = extractToken(ctx);

  if (!token) {
    return { authenticated: false };
  }

  const apiToken = await apiTokenService.getBy({
    accessKey: apiTokenService.hash(token),
  });

  // token not found
  if (!apiToken) {
    return { authenticated: false };
  }

  const currentDate = new Date();

  if (!isNil(apiToken.expiresAt)) {
    const expirationDate = new Date(apiToken.expiresAt);
    // token has expired
    if (expirationDate < currentDate) {
      return { authenticated: false, error: new UnauthorizedError('Token expired') };
    }
  }

  // update lastUsedAt if the token has not been used in the last hour
  const hoursSinceLastUsed = differenceInHours(currentDate, parseISO(apiToken.lastUsedAt));
  if (hoursSinceLastUsed >= 1) {
    await strapi.query('admin::api-token').update({
      where: { id: apiToken.id },
      data: { lastUsedAt: currentDate },
    });
  }

  if (apiToken.type === constants.API_TOKEN_TYPE.CUSTOM) {
    const ability = await strapi.contentAPI.permissions.engine.generateAbility(
      apiToken.permissions.map((action) => ({ action }))
    );

    return { authenticated: true, ability, credentials: apiToken };
  }

  return { authenticated: true, credentials: apiToken };
};

/**
 * Verify the token has the required abilities for the requested scope
 *
 *  @type {import('.').VerifyFunction}
 */
const verify = (auth, config) => {
  const { credentials: apiToken, ability } = auth;

  if (!apiToken) {
    throw new UnauthorizedError('Token not found');
  }

  const currentDate = new Date();

  if (!isNil(apiToken.expiresAt)) {
    const expirationDate = new Date(apiToken.expiresAt);
    // token has expired
    if (expirationDate < currentDate) {
      throw new UnauthorizedError('Token expired');
    }
  }

  // Full access
  if (apiToken.type === constants.API_TOKEN_TYPE.FULL_ACCESS) {
    return;
  }

  // Read only
  if (apiToken.type === constants.API_TOKEN_TYPE.READ_ONLY) {
    /**
     * If you don't have `full-access` you can only access `find` and `findOne`
     * scopes. If the route has no scope, then you can't get access to it.
     */
    const scopes = castArray(config.scope);

    if (config.scope && scopes.every(isReadScope)) {
      return;
    }
  }

  // Custom
  else if (apiToken.type === constants.API_TOKEN_TYPE.CUSTOM) {
    if (!ability) {
      throw new ForbiddenError();
    }

    const scopes = castArray(config.scope);

    const isAllowed = scopes.every((scope) => ability.can(scope));

    if (isAllowed) {
      return;
    }
  }

  throw new ForbiddenError();
};

/** @type {import('.').AuthStrategy} */
module.exports = {
  name: 'api-token',
  authenticate,
  verify,
};
add api-token auth strategy to the content-api 2021-09-16 14:36:54 +02:00			`'use strict';`

Remove didReceiveAPIRequest event 2023-06-19 11:53:24 +02:00			`const { castArray, isNil } = require('lodash/fp');`
update last used at once a day 2023-06-26 11:11:55 +02:00			`const { differenceInHours, parseISO } = require('date-fns');`
refacto graphql errors 2021-10-27 18:54:58 +02:00			`const { UnauthorizedError, ForbiddenError } = require('@strapi/utils').errors;`
add api-token auth strategy to the content-api 2021-09-16 14:36:54 +02:00			`const constants = require('../services/constants');`
			`const { getService } = require('../utils');`

Prettier and backend fix 2022-08-08 23:33:39 +02:00			`const isReadScope = (scope) => scope.endsWith('find') \|\| scope.endsWith('findOne');`
Use array checks in api-token aut strategy 2021-10-11 09:49:35 +02:00
Prettier and backend fix 2022-08-08 23:33:39 +02:00			`const extractToken = (ctx) => {`
Support query access_token 2021-11-15 17:54:17 +01:00			`if (ctx.request && ctx.request.header && ctx.request.header.authorization) {`
			`const parts = ctx.request.header.authorization.split(/\s+/);`
add api-token auth strategy to the content-api 2021-09-16 14:36:54 +02:00
Support query access_token 2021-11-15 17:54:17 +01:00			`if (parts[0].toLowerCase() !== 'bearer' \|\| parts.length !== 2) {`
			`return null;`
			`}`

			`return parts[1];`
			`}`
add api-token auth strategy to the content-api 2021-09-16 14:36:54 +02:00
Support query access_token 2021-11-15 17:54:17 +01:00			`return null;`
			`};`

verify expiration of token 2022-08-22 09:25:55 +02:00			`/**`
			`* Authenticate the validity of the token`
			`*`
Create an auth strategy for data-transfer Co-authored-by: Bassel Kanso <basselkanso82@gmail.com> Co-authored-by: Ben Irvin <innerdvations@users.noreply.github.com> Co-authored-by: Simone <simone.taeggi@strapi.io> 2023-02-02 17:03:41 +01:00			`* @type {import('.').AuthenticateFunction}`
			`*/`
Prettier and backend fix 2022-08-08 23:33:39 +02:00			`const authenticate = async (ctx) => {`
Support query access_token 2021-11-15 17:54:17 +01:00			`const apiTokenService = getService('api-token');`
			`const token = extractToken(ctx);`
add api-token auth strategy to the content-api 2021-09-16 14:36:54 +02:00
Support query access_token 2021-11-15 17:54:17 +01:00			`if (!token) {`
add api-token auth strategy to the content-api 2021-09-16 14:36:54 +02:00			`return { authenticated: false };`
			`}`

			`const apiToken = await apiTokenService.getBy({`
			`accessKey: apiTokenService.hash(token),`
			`});`

verify expiration of token 2022-08-22 09:25:55 +02:00			`// token not found`
add api-token auth strategy to the content-api 2021-09-16 14:36:54 +02:00			`if (!apiToken) {`
			`return { authenticated: false };`
			`}`

Fix expiration date checks on api token strategy 2022-08-25 15:44:10 +02:00			`const currentDate = new Date();`

null guard for expiration checks 2022-08-25 16:56:50 +02:00			`if (!isNil(apiToken.expiresAt)) {`
			`const expirationDate = new Date(apiToken.expiresAt);`
			`// token has expired`
			`if (expirationDate < currentDate) {`
			`return { authenticated: false, error: new UnauthorizedError('Token expired') };`
			`}`
token doesn't authorize when expired 2022-08-24 10:32:24 +02:00			`}`

lastUsed update resolution to 1 hour 2023-06-26 11:17:51 +02:00			`// update lastUsedAt if the token has not been used in the last hour`
update last used at once a day 2023-06-26 11:11:55 +02:00			`const hoursSinceLastUsed = differenceInHours(currentDate, parseISO(apiToken.lastUsedAt));`
lastUsed update resolution to 1 hour 2023-06-26 11:17:51 +02:00			`if (hoursSinceLastUsed >= 1) {`
update last used at once a day 2023-06-26 11:11:55 +02:00			`await strapi.query('admin::api-token').update({`
			`where: { id: apiToken.id },`
			`data: { lastUsedAt: currentDate },`
			`});`
			`}`
update lastUsed when token is accessed 2022-08-17 23:28:35 +02:00
Attach permission model to tokens, update api token' strategy & services 2022-08-05 12:01:36 +02:00			`if (apiToken.type === constants.API_TOKEN_TYPE.CUSTOM) {`
			`const ability = await strapi.contentAPI.permissions.engine.generateAbility(`
Merge branch 'features/api-token-v2' into api-token-v2/permissions-for-api-token 2022-08-18 12:20:45 +02:00			`apiToken.permissions.map((action) => ({ action }))`
Attach permission model to tokens, update api token' strategy & services 2022-08-05 12:01:36 +02:00			`);`

			`return { authenticated: true, ability, credentials: apiToken };`
			`}`

add api-token auth strategy to the content-api 2021-09-16 14:36:54 +02:00			`return { authenticated: true, credentials: apiToken };`
			`};`

verify expiration of token 2022-08-22 09:25:55 +02:00			`/**`
			`* Verify the token has the required abilities for the requested scope`
			`*`
Create an auth strategy for data-transfer Co-authored-by: Bassel Kanso <basselkanso82@gmail.com> Co-authored-by: Ben Irvin <innerdvations@users.noreply.github.com> Co-authored-by: Simone <simone.taeggi@strapi.io> 2023-02-02 17:03:41 +01:00			`* @type {import('.').VerifyFunction}`
			`*/`
add api-token auth strategy to the content-api 2021-09-16 14:36:54 +02:00			`const verify = (auth, config) => {`
Attach permission model to tokens, update api token' strategy & services 2022-08-05 12:01:36 +02:00			`const { credentials: apiToken, ability } = auth;`
add api-token auth strategy to the content-api 2021-09-16 14:36:54 +02:00
			`if (!apiToken) {`
token doesn't authorize when expired 2022-08-24 10:32:24 +02:00			`throw new UnauthorizedError('Token not found');`
add api-token auth strategy to the content-api 2021-09-16 14:36:54 +02:00			`}`

Fix expiration date checks on api token strategy 2022-08-25 15:44:10 +02:00			`const currentDate = new Date();`

null guard for expiration checks 2022-08-25 16:56:50 +02:00			`if (!isNil(apiToken.expiresAt)) {`
			`const expirationDate = new Date(apiToken.expiresAt);`
			`// token has expired`
			`if (expirationDate < currentDate) {`
			`throw new UnauthorizedError('Token expired');`
			`}`
verify expiration of token 2022-08-22 09:25:55 +02:00			`}`

Attach permission model to tokens, update api token' strategy & services 2022-08-05 12:01:36 +02:00			`// Full access`
improve scope matching and verification failures 2021-09-17 14:07:39 +02:00			`if (apiToken.type === constants.API_TOKEN_TYPE.FULL_ACCESS) {`
add api-token auth strategy to the content-api 2021-09-16 14:36:54 +02:00			`return;`
			`}`

Attach permission model to tokens, update api token' strategy & services 2022-08-05 12:01:36 +02:00			`// Read only`
Merge branch 'features/api-token-v2' into api-token-v2/permissions-for-api-token 2022-08-18 12:20:45 +02:00			`if (apiToken.type === constants.API_TOKEN_TYPE.READ_ONLY) {`
Attach permission model to tokens, update api token' strategy & services 2022-08-05 12:01:36 +02:00			`/**`
			* If you don't have `full-access` you can only access `find` and `findOne`
			`* scopes. If the route has no scope, then you can't get access to it.`
			`*/`
			`const scopes = castArray(config.scope);`
Use array checks in api-token aut strategy 2021-10-11 09:49:35 +02:00
Attach permission model to tokens, update api token' strategy & services 2022-08-05 12:01:36 +02:00			`if (config.scope && scopes.every(isReadScope)) {`
			`return;`
			`}`
			`}`

			`// Custom`
reorganize logic 2022-08-11 12:18:53 +02:00			`else if (apiToken.type === constants.API_TOKEN_TYPE.CUSTOM) {`
			`if (!ability) {`
			`throw new ForbiddenError();`
			`}`

Attach permission model to tokens, update api token' strategy & services 2022-08-05 12:01:36 +02:00			`const scopes = castArray(config.scope);`

Merge branch 'features/api-token-v2' into api-token-v2/permissions-for-api-token 2022-08-18 12:20:45 +02:00			`const isAllowed = scopes.every((scope) => ability.can(scope));`
Attach permission model to tokens, update api token' strategy & services 2022-08-05 12:01:36 +02:00
			`if (isAllowed) {`
			`return;`
			`}`
add api-token auth strategy to the content-api 2021-09-16 14:36:54 +02:00			`}`

refacto graphql errors 2021-10-27 18:54:58 +02:00			`throw new ForbiddenError();`
add api-token auth strategy to the content-api 2021-09-16 14:36:54 +02:00			`};`

			`/** @type {import('.').AuthStrategy} */`
			`module.exports = {`
			`name: 'api-token',`
			`authenticate,`
			`verify,`
			`};`